Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Apr 2010 12:55:25 -0500
From:      John <john@starfire.mn.org>
To:        John <john@starfire.mn.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Really simple spam trap - /dev/pf permissions?
Message-ID:  <20100428175525.GA4590@elwood.starfire.mn.org>
In-Reply-To: <20100428170027.GA3857@elwood.starfire.mn.org>
References:  <20100427193106.GA91570@elwood.starfire.mn.org> <4BD7DCE1.9070004@infracaninophile.co.uk> <20100428170027.GA3857@elwood.starfire.mn.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 28, 2010 at 12:00:27PM -0500, John wrote:
> On Wed, Apr 28, 2010 at 07:59:45AM +0100, Matthew Seaman wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 27/04/2010 20:31:06, John wrote:
> > > I have done a monkey-simple spam trap.  It just so happens that I have
> > > a dozen or more user accounts that haven't been actually used in over five
> > > years and get dozens of spam hits every day.  I had been just sending
> > > them all to /dev/null with a sendmail alias.
> > > 
> > > It seems to me that these are perfect trap e-mails for spam, and
> > > in the course of playing with what I'm attempting to do, it really
> > > does look that the only thing that hits them are spam messages.
> > > 
> > > So, I built this really simple perl script, which gets invoked through
> > > a sendmail alias, as such:
> > > sink:	"| /home/john/spamsink >> /tmp/blacklist"
> > > and then I alias various of the old, dead accounts to "sink".
> > 
> > Check out the mail/spamd port -- it does what you want, and more
> > besides.  The keyword is 'greytrapping'  Also, as it works against the
> > host that connects to your server, rather than anything in the message
> > headers (probably forged by the spammers) it's much better targeted.
> > 
> > Oh, and the action on discovered spammers is not simply to block their
> > access, but to engage them in a long drawn out and ultimately futile
> > SMTP coversation, thus wasting their resources and giving them a
> > generally bad day.
> > 
> > 	Cheers,
> > 
> > 	Matthew
> 
> That sounds cool, and I'll look at it again, but the last time I looked
> at it, the learning curve seemed prohibitive.  I wrote my script in
> less time than it took me to read the spamd man page - and that wasn't
> even counting the time I spent being confused over there being TWO
> different "SPAMD" programs...
> 
> With regard to the headers - the spammers CANNOT forge the most
> recent "Received: from" header, because that is generated by MY
> sendmail, and even if they "lie" about their name (DNS), the IP
> address given is the IP address that connected to my machine, which
> has to be correct in order for the SMTP "conversation" to occur.  The
> problem, as already illucidated by a previous poster, is if they
> come thorugh a "common" or "choke point" SMTP server, I'll block a
> lot of legit e-mail, too.  So far, that does NOT appear to have
> happened to me, and as tighter and tighter controls are placed on
> relaying, I think that becomes even less of a risk.  Anyway, every
> two hours, I drop entries that are 2 hours old or older, so that
> should be manageable, as well.
> 
> Right now, my rule is set to RETURN and I wonder if it should be
> DROP instead.  Any feedback on what's "better"?
> 
> So far, I've seen over a 3/4ths reduction in SPAM hitting my inbox,
> so, it seems to be a moderate success, right now.  I've only had one
> spam site that was so persistent that it kept trying to deliver
> the messages until after the entry got cleared from the table.
> 
> I currently have 105 (a new high!) entries in my "spammers"
> table, and I've only gotten 2 spam e-mails in the last two hours.
> -- 
> 
> John Lind
> john@starfire.MN.ORG

I know that I'm replying to myself, but I just wanted to point out
that something said by someone else on this thread proved VERY
fruitful.  I was only looking for my own past, real users, but the
comment about dictionary attacks and "WKUN" (Well Known User Names)
got me to thinking, so I went and harvested my mail logs and found
a RICH SET of IDs which never existed on my system, but which are
GREAT spam traps.  Here's that tiny script:

-- begin script cookietrap
#!/usr/bin/perl -w

while (<STDIN>) {
    if (/User unknown/) {
	if (/<([^>]+)>/) {
	    print "$1\n";
	    }
	}
    }
exit 0;
-- end script cookietrap

Here's how I used it:
zcat /var/log/mail*bz2 | ./cookietrap | sort | uniq -c | sort -nr

That gave me a list of a couple of dozen "generated" usernames with
HUNDREDS of hits specific to my system that are now in my trap list.

Maybe my situation is unique, but this simple approach is proving
to be quite effective so far.  The next step, after simply relieving
my pain, will be to look at spamd and start CAUSING some spammer
pain, as well.
-- 

John Lind
john@starfire.MN.ORG



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100428175525.GA4590>